A card is stored in the database is only contained in one table/field called fCreditCards.CD_CARD_NO. There are no other permanent or temporary locations where it is stored. The card number can be removed using the shred feature. PCI DSS standard 3.1

Notes:

A shredded card is stored in the database as '#### **** **** ####'. This renders the PAN useless for all purposes. However, if given the first 4 and last 4 digits of any card, you can still search for and find the patron who used a card starting and ending with those digits (the card, of course, will not exist in the database).

Schedule "D" compliance with about 120 days of retention is sufficient for most venues, especially if you are using post dated payments or may have to deal with refunds for cancelled events

Schedule "C" compliance means that no card information will every be stored in the database. It means cancellation of an event will need the customer service team to call a patron to get the card to process a refund, or to convert any refund to patrons to store credit such as a gift certificate.